Secure proximity verification of a node on a network

ABSTRACT

A system and method determines the proximity of the target node to the source node from the time required to communicate messages within the node-verification protocol. The node-verification protocol includes a query-response sequence, wherein the source node communicates a query to the target node, and the target node communicates a corresponding response to the source node. The target node is configured to communicate two responses to the query: a first response that is transmitted immediately upon receipt of the query, and a second response based on the contents of the query. The communication time is determined based on the time duration between the transmission of the query and receipt of the first response at the source node and the second response is compared for correspondence to the query, to verify the authenticity of the target node.

CROSS REFERENCE TO RELATED APPLICATION

This application claims the benefit of U.S. provisional application Ser.No. 60/414,942 filed Sep. 30, 2002 and application Ser. No. 60/445,265filed Feb. 5, 2003, which are incorporated herein by reference.

This invention relates to the field of communications security, and inparticular, to a system and method that verifies the proximity of a nodeon a network.

This invention relates to the field of communications security, and inparticular, to a system and method that verifies the proximity of a nodeon a network.

Network security can often be enhanced by distinguishing between ‘local’nodes and ‘remote’ nodes on the network. In like manner, differentrights or restrictions may be imposed on the distribution of material tonodes, based on whether the node is local or remote. Local nodes, forexample, are typically located within a particular physical environment,and it can be assumed that users within this physical environment areauthorized to access the network and/or authorized to receive files fromother local nodes. Remote nodes, on the other hand, are susceptible tounauthorized physical access. Additionally, unauthorized intruders on anetwork typically access the network remotely, via telephone or othercommunication channels. Because of the susceptibility of the network tounauthorized access via remote nodes, network security and/or copyprotection can be enhanced by imposing stringent security measuresand/or access restrictions on remote nodes, while not encumbering localnodes with these same restrictions.

It is an object of this invention to provide a system and method thatfacilitates a determination of whether a node on a network is local orremote. It is a further object of this invention to integrate thisdetermination with a system or method that verifies the authenticity ofthe node on the network.

These objects and others are achieved by a system and method thatfacilitates a determination of communication time between a source nodeand a target node within a node-verification protocol, such as the OpenCopy Protection System (OCPS). The proximity of the target node to thesource node is determined from the communication delay associated with achallenge-response protocol. The node-verification protocol includes aquery-response sequence, wherein the source node communicates a query tothe target node, and the target node communicates a correspondingresponse to the source node. To distinguish between the actualcommunication time and the time required to generate the responsecorresponding to the query, the target node is configured to communicatetwo responses to the query: a first response that is transmittedimmediately upon receipt of the query, and a second response based onthe contents of the query. The communication time is determined based onthe time duration between the transmission of the query and receipt ofthe first response at the source node. The second response is comparedfor correspondence to the query, to verify the authenticity of thetarget node, and the communication time is compared to a threshold valueto determine whether the target node is local or remote relative to thesource node.

FIG. 1 illustrates an example block diagram of a network of nodes.

FIG. 2 illustrates an example block diagram of a source and target nodethat effect a query-response protocol in accordance with this invention.

Throughout the drawings, the same reference numeral refers to the sameelement, or an element that performs substantially the same function.

FIG. 1 illustrates an example block diagram of a network 150 of nodes110. One of the nodes, NodeD 110, is illustrated as being distant fromthe other nodes 110. In accordance with this invention, each of thenodes 110 is configured to be able to determine the proximity of eachother node 110. In a typical embodiment of this invention, the proximitydetermination is limited to a determination of whether the other node is“local” or “remote”, although a more detailed determination of distancescan be effected using the techniques disclosed herein.

FIG. 2 illustrates an example block diagram of a source node 110S andtarget node 110T that effect a query-response protocol to determine theproximity of the target node 110T to the source node 110S in accordancewith this invention. The source node 110S includes a processor 210 thatinitiates a query, and a communications device 220 that transmits thequery to the target node 110T. The target node 110T receives the queryand returns a corresponding response, via its communications device 230.To assure that the first response corresponds to the communicated query,the protocol calls for the target node 110T to process at least aportion of the query and to include a result of this processing in thesecond response, via a processor 240.

The source node 110S is configured to measure the time consumed by thequery-response process, and from this measure, to determine theproximity of the target node 110T. In a conventional query-responseprotocol, the query-response time includes the time to communicate thequery and response, as well as the time to process the query andgenerate the response at the target node 110T, and thus thequery-response time in a conventional query-response protocol isgenerally unsuitable for determining the communication time.

In accordance with this invention, the target node 110T is configured toprovide two responses to the query. The target node 110T provides animmediate response upon receipt of the query, and then a subsequentresponse after processing the query. The source node 110S is configuredto measure the time duration between the transmission of the query andthe receipt of the first response from the target node 110T to determinethe relative proximity of the target node 110T to the source node 110S.The source node is also configured to verify the authenticity of thetarget node 110T based on the second response from the target node 110T.In a preferred embodiment, the authenticity of the first response isalso verifiable as originating from the target node 110T, either via thecontents of the first response or the second response.

Using known techniques, the distance between the source 110S and target110T can be calculated using the determined communication time betweenthe transmission of the query from the source 110S and the receipt ofthe first response from the target 110T. As noted above, in a typicalembodiment, the communication time is used to determine whether thetarget 110T is local or remote from the source 110S. This determinationis made in a preferred embodiment of this invention by comparing thecommunication time to a nominal threshold value, typically not more thana few milliseconds. If the communication time is below the threshold,the target 110T is determined to be local; otherwise, it is determinedto be remote. Multiple thresholds may also be applied, to provide for arelative measure of the degree of remoteness of the target 110T from thesource 110S.

In a typical embodiment, the source 110S uses the remote/local proximitydetermination to control subsequent communications with the target 110T,and/or to control access of the target node to system resources, such asdata and processes, based on the proximity. For example, some files maybe permitted to be transferred only to local nodes, all communicationswith a remote node may be required to be encrypted, some files may beprohibited from inter-continental transmissions, and so on.

In a preferred embodiment of this invention, the above query-responseprocess is integrated within a node-authentication process, such as akey-exchange process, which typically includes one or morequery-response sequences.

The OCPS protocol, for example, includes an authentication stage, a keyexchange stage, a key generation phase, and subsequent data transmissionphases. The key exchange phase is effected via a modifiedNeedham-Schroeder key exchange protocol, as described in “Handbook ofApplied Cryptography”, Menezes et al.

At the authentication stage, each of the source 110S and target 110Tnodes authenticates a public key of each other using the correspondingdigital certificates.

At the start of the key exchange phase, the source 110S generates amessage composed of a random number and a random key. The source 110Sthen encrypts the message, using the public key of the target 110T, andtransmits the encrypted message to the target 110T as the aforementionedquery. In accordance with this invention, the source node 110S initiatesa timer when these encryptions are transmitted to the target 110T.

In the conventional OCPS protocol, the target 110T decrypts the randomnumber and random key from the source 110S, using the private key of thetarget 110T. The target 110T generates a message composed of a newrandom number, a new random key, and the decrypted random number fromthe source 110S, and encrypts the message, using the public key of thesource 110S, to form a response that is to be communicated to the source110S. The target 110T also signs the response, using the target'sprivate key.

In accordance with this invention, upon receipt of the query, the target110T communicates a first response to the source 110S, before theaforementioned decryption of the random number and random key. In onepreferred embodiment of this invention, the target 110T communicates anew random number to the source 110S as the first response, andsubsequently authenticates this new random number via an addendum to theconventional OCPS response that is transmitted as the second response.In another preferred embodiment, the target 110T includes a portion ofthe conventional OCPS response in the first response containing anencrypted and signed new random number, followed by the remainder of theconventional OCPS response.

In the first preferred embodiment, the second response includes therandom number of the first response within the material that isencrypted using the public key of the source 110S, and signed using theprivate key of the target 110T.

In the second preferred embodiment, the first response includes the newrandom number, encrypted using the public key of the source 110S, andsigned using the private key of the target 110T. The encryption andsignature of the new random number is effected immediately after theauthentication phase, so that this encrypted and signed response isavailable for transmission from the target 110T to the source 110Simmediately upon receipt of the query from the source 110S. Aftersending the first response, the target 110T decrypts the query from thesource 110S, using the private key of the target 110T, and generates anew message composed of a new random key and the decrypted random key.The target then encrypts the new message using the public key of thesource 110S, signs the message using its private key, and transmits theenrypted and signed response contained in the query back to the source110S, thereby verifying the identity of the target 110T to the source110S.

When the source node 110S receives the first response, it terminates theaforementioned timer, thereby establishing a measure of the round-tripcommunication time between source 110S and target 110T. Upon receipt ofthe second response, the source node 110S verifies the signed message,using the public key of the target 110T, and decrypts the random numbersand random key from the response, using the private key of the source110S.

To confirm the key exchange, the source 110S transmits the decrypted newrandom number back to the target 110T. Both the source 110S and target110T control subsequent communications based upon receipt of the properdecrypted random numbers. In accordance with this invention, the source110S also controls subsequent communications based upon the determinedcommunication time.

If both nodes are verified, subsequent communications between the source110S and target 110T encrypt the communications using a session key thatis a combination of the random keys, the public keys, and a sessionindex.

The foregoing merely illustrates the principles of the invention. Itwill thus be appreciated that those skilled in the art will be able todevise various arrangements which, although not explicitly described orshown herein, embody the principles of the invention and are thus withinthe spirit and scope of the following claims.

1. A method of determining proximity of a target node to a source node,comprising: preparing a first response at the target node prior toreceiving any part of a query from the source node; communicating thequery from the source node to the target node; communicating the firstresponse from the target node to the source node, immediately after thequery is received and before the query is processed at the target node;receiving the first response at the source node; processing the query atthe target node to produce therefrom a second response that facilitatesa verification of the target node and its first response; communicatingthe second response from the target node to the source node; determininga measure of communication time between communicating the query andreceiving the first response; and determining the proximity of thetarget node based on the measure of communication time, whereindetermining proximity includes comparing the measure of communicationtime with a threshold value, and if the communication time is below thethreshold, the target node is determined to be local, otherwise thetarget node is determined to be remote, further comparing the measure ofcommunication time with multiple applied thresholds for providing arelative measure of a degree of remoteness of the target node from thesource node, and wherein the source node uses the remote/local proximitydetermination to control subsequent communications with the target nodeand to control access of the target node to system resources based onthe determined proximity.
 2. The method of claim 1, wherein the queryand at least one of the first and second responses correspond to atleast a portion of a cryptographic key-exchange protocol.
 3. The methodof claim 2, wherein the key-exchange protocol corresponds to aNeedham-Schroeder key-exchange protocol.
 4. The method of claim 1,wherein the query and at least one of the first and second responsescorrespond to at least a portion of an OCPS protocol.
 5. The method ofclaim 1, wherein the query includes an encryption of an item based on apublic key of the target node, and the processing of the query includesdecrypting the item based on a private key of the target node, forinclusion in the second response.
 6. The method of claim 5, wherein thefirst response includes a random number, and the processing of the queryfurther includes encrypting the item and the random number using apublic key of the source node to form at least a portion of the secondresponse.
 7. The method of claim 5, wherein the first response includesan encryption of a random number based on a public key of the sourcenode.
 8. The method of claim 1, wherein determining the proximityincludes comparing the communication time to a threshold value thatdistinguishes between local and remote nodes.
 9. The method of claim 1,further including restricting communications with the target node basedon the proximity.
 10. The method of claim 1, further includingrestricting access of the target node to system resources based on theproximity.
 11. A node on a network including: a processor that isconfigured to prepare a first response at the node prior to receivingany part of a query from a source node, a communication device that isconfigured to: receive the query from the source node, transmit thefirst response to facilitate proximity verification of the node, to thesource node immediately upon receipt of the query and before the queryis processed, and transmit a second response that facilitates averification of the node to the source node, and the processorconfigured to process the query and produce therefrom the secondresponse, wherein the source node determines a measure of communicationtime between communicating the query and receiving the first response,determines a proximity of the node based on the measure of communicationtime, wherein determining proximity includes comparing the measure ofcommunication time with a threshold value, and if the communication timeis below the threshold, the node is determined to be local, otherwisethe node is determined to be remote, further comparing the measure ofcommunication time with multiple applied thresholds for providing arelative measure of a degree of remoteness of the node from the sourcenode, and wherein the source node uses the remote/local proximitydetermination to control subsequent communications with the node and tocontrol access of the node to system resources based on the determinedproximity.
 12. The node of claim 11, wherein the processor is configuredto process the query and produce the response as part of a cryptographickey-exchange protocol.
 13. The node of claim 12, wherein thekey-exchange protocol corresponds to a Needham-Schroeder key-exchangeprotocol.
 14. The node of claim 11, wherein the query and at least oneof the first and second responses correspond to at least a portion of anOCPS protocol initiated by the source node.
 15. The node of claim 11,wherein the query includes an encryption of an item based on a publickey of the node, and the processor is configured to decrypt the itembased on a private key of the node, for inclusion in the secondresponse.
 16. The node of claim 15, wherein the first response includesa random number, and the processor is configured to encrypt the item andthe random number using a public key of the source node to form at leasta portion of the second response.
 17. The node of claim 15, wherein thefirst response includes an encryption of a random number based on apublic key of the source node.
 18. A node on a network including: acommunication device that is configured to: transmit a query to a targetnode, receive an immediate first response that has been prepared beforereceipt of any part of the query by the target node and transmitted bythe target node before the query is processed at the target node, andreceive a second response from the target node; and a processor that isconfigured to: measure a communication time between transmitting thequery and receiving the first response, determine a proximity of thetarget node relative to the node based on the communication time, andverify the target node based on the second response, wherein determiningproximity includes comparing the measure of communication time with athreshold value, and if the communication time is below the threshold,the target node is determined to be local, otherwise the target node isdetermined to be remote, further comparing the measure of communicationtime with multiple applied thresholds for providing a relative measureof a degree of remoteness of the target node from the source node, andwherein the source node uses the remote/local proximity determination tocontrol subsequent communications with the target node and to controlaccess of the target node to system resources based on the determinedproximity.
 19. The node of claim 18, wherein the processor is configuredto generate the query and process at least one of the first and secondresponses as part of a cryptographic key-exchange protocol.
 20. The nodeof claim 19, wherein the key-exchange protocol corresponds to aNeedham-Schroeder key-exchange protocol.
 21. The node of claim 18,wherein the query and at least one of the first and second responsescorrespond to at least a portion of an OCPS protocol initiated by thenode.
 22. The node of claim 18, wherein the query includes an encryptionof an item based on a public key of the target node, and the secondresponse includes a decryption of the item based on a private key of thetarget node.
 23. The node of claim 22, wherein the first responseincludes a random number, and the second response includes an encryptionof the decryption of the item and the random number, using a public keyof the node.
 24. The node of claim 23, wherein the second responsefurther includes a signature of the decryption of the item and therandom number, using a private key of the target node.
 25. The node ofclaim 22, wherein the first response includes an encryption of a randomnumber based on a public key of the node.
 26. The node of claim 18,wherein the processor is configured to determine the proximity based ona comparison of the communication time to a threshold value thatdistinguishes between local and remote nodes.
 27. The node of claim 18,wherein the processor is further configured to control subsequentcommunications with the target node based on the proximity.
 28. The nodeof claim 18, wherein the processor is further configured to controlaccess of the target node to system resources based on the proximity.